How to Secure Your Mobile App the Easy Way
Mobile app hacking statistics:
- 163% increase of mobile malware in 2012
- 78% of the top 100 Android and iOS apps have been hacked
- less than 5% of popular apps contain professional-grade protections to defend against hacking attacks.
- 40% of popular free Apple iOS apps and 80% of the same free Android apps were found to have been hacked
Why do I care about mobile app security?
Cracked mobile apps create the potential for:
- revenue loss (falling currency or dollars)
- unauthorized access to critical data
- intellectual property theft
- fraud
- altered user experience
- brand damage
Does my mobile app need to be secure?
Yes…but some apps are at greater risk than others.
Riskier apps, the ones that need more security
If you have an app that..
- asks for location
- collects personal information from users (pics, names, address)
- relies on remote servers for storing and manipulating users’ data
Apps that don’t require as much security
- alarm clocks
- local notes
- apps that never talks to the web
How do they hack mobile apps?
Mobile apps are subject to many diverse types of hacks and tampering . attacks such as disabled or circumvented security, unlocked or modified features, free pirated copies, ad-removed versions, source code/IP theft, and illegal malware-infested versions.
I’m just a solo developer or develop for a small team how can I secure my app when they can’t?
DO:
- Maintain updated libraries
- Try to use a secure mobile app content management system (CMS) to send content to users securely
- Use an encrypted web address to pull app content from mobile app cms
- Secure the server, data, AND app if you’re handling user data
- Consider desktop, a laptop as two-factor auth just in case your users lose their phones
- Encourage users to use better passwords. Don’t allow password at the very least – *****_
- Filter user inputs at the device level to prevent a SQL injection attack – SQL
- Stored in a secure location within the app’s sandbox. ios = built-in Keychain class , android = encrypt data
- Use cryptographic hash function
- Comply with COPPA (kid data), HIPPA (health data), and Gramm-Leach-Bliley (financial data)
DON’T:
- Treat content passed in as trusted
- Collect or keep data you don’t need
- Save user data to NSUserDefaults or SharedPreferences. this saves as plain text! Just add and SDK into your mobile app Make sure you trust the source and check the security
- Forget to include https: ‘GET’ and ‘POST’ requests for images, documents, user login credentials, and other commonly transferred data
- Ever connect to an unsecure backend
- Create unsecure credentials for your users (like usernames and passwords)
- Use a one, static encryption key
- Skip on code reviews if you work with a team
What tools can I use to secure my mobile app without being a mobile app security expert?
- DuoSecurity, Twilio, or Google Auth – Two factor Auth.
- New Relic – keep an eye on your network
- Autosend – Send secure mobile app email, SMS, and push messages to users
- Thawte, Godaddy and Rapid SSL – Affordable SSL Certificates
- AWS – secure servers by default
- dsploit – android pentration testing
- Zimperium – pentest tool for android
- Weasel– android app vunerability scanning
- Flawfinder – ios static code analysis
- Android reverse engineering: dex2jar, JD-GUI
- iOS reverse engineering: otool, class-dump-z
- http://www.scovetta.com/yasca.html
More tips from the mobile app security pros:
Prateek, Security Researcher for Infosec Institute says…
“One thing mobile devs can do now – Make sure important information is not leaked or stored on the device. For e.g, while storing data locally in IOS applications, one should not use NSUserDefaults, Plist files or even Core Data to store important information like access tokens,passwords etc. A better option would be to store it in the keychain, even though it is also not safe in case of a jailbroken device”
a) Encrypt any important file/information if it is to be stored locally on the device.
b) Critical applications like Banking applications should check for a jailbroken/rooted device and not work if it is jailbroken/rooted
c) Defend against operating system related vulnerabilities, for e.g in case of an IOS application, defend against runtime analysis/manipulation
Things to remember about mobile app security:
- The bigger the user base, the greater the need for strong security
- Mobile users often rely on insecure Wi-Fi networks (wifi icon in red or wifi icon and unlock)
- Mobile users lose their devices, get them stolen, and let people borrow them
- If the NSA has taught us anything…Nothing is hack proof or 100% secure
Where to find more help to make your mobile app more secure:
- https://developer.android.com/training/articles/security-tips.html
- http://www.symantec.com/connect/blogs/android-mobile-app-pen-test-tricks-part-i-installing-ca-certificates
- http://blog.rietta.com/ – securing the web side of things
- http://www.mcafee.com/us/resources/white-papers/foundstone/wp-pen-testing-iphone-ipad-apps.pdf
- http://resources.infosecinstitute.com/ios-application-security-part-1-setting-up-a-mobile-pentesting-platform/
- http://security.stackexchange.com/
- http://blog.denimgroup.com/denim_group/
There you have it a quick bit on mobile app security, the easy way. But there is always more to learn about mobile.
Check out these resources to help you make better mobile apps (more exciting ones) and don’t forget to share!